Do you have a question? Post it now! No Registration Necessary. Now with pictures!
September 6, 2007, 8:59 pm
rate this thread
internal hosts, from arbitrary external systems, via a gateway host.
A setup I came up with is:
* On GW host, have one (or more) gw accounts with a password.
* For every ssh user, in GW account on GW host:
** create a passphrase-protected key
** On each host they need to connect to:
*** copy key to their authorized_keys file
Each user should only be able to ssh into the GW host , then ssh to
one of their allowed hosts by specifying their keyfile.
- Can I forbid password authentication from the GW host to the
internal hosts, but still allow it between two internal hosts? It
doesn't seem that PasswordAuthentication can appear in a Match
- Can I forbid port forwarding to/from the GW, or at least require
use of a key rather than the password?
- Is this whole approach pointless, and should I be doing something
completely different? The need is for a reasonably simple procedure
with as little as possible required on the remote end; it's acceptable
to need setup and preparation on the GW and/or internal systems.
Thanks for any suggestions.
Re: Gateway host configuration
It can but it was only added in version 4.6. Which version are you
Set "AllowTcpForwarding no" in the gateway's sshd_config.
If your gateway host supports it you could also use user-based packet
filter rules to restrict where you users can connect to, for example
"user <foo>" rules in PF or --uid-owner rules in iptables.
This would control all outgoing (and incoming) connections not just
those made by ssh.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- » How to foce SCP to create a directory ?????????????
- — Next thread in » Secure Shell Forum
- » protocol question - issue with exit-status inside unfinished data stream?
- — Newest thread in » Secure Shell Forum